New Delhi: “What happened? Your files are encrypted?”, “What is the price to repair? The price depends on how fast you can pay to us” — this is the message received from the alleged hackers, who crippled the servers of the All India Institute of Medical Science (AIIMS) in Delhi last month, sources in Delhi Police told ThePrint. Police are investigating both the possibility of a foreign sabotage through cyber-attack or a ransomware attack, the sources added.
When asked if the investigators suspected the involvement of China in the act, a key investigating officer said, “There is a possibility, it cannot be ruled out.”
This is because earlier this year, digital forensics analysis firm Recorded Futures, had said, that Chinese state-backed hacking groups have been responsible for multiple attacks on Indian power infrastructure.
According to the sources, the message left on the AIIMS servers after the hack read there was a “guarantee of repair of all data files”. The alleged hackers also offered to decrypt three files for free before a payment was made and warned that all files were protected by a strong encryption with “RSA-2048” and if an attempt was made to decrypt them using a third-party software, it might result in “permanent data loss”, the sources claimed.
RSA-2048D is a public-key encryption system used to secure data transmission. Encrypting data requires a digital “public-key”, as well as a “private key”. The combination of the two keys is required to decrypt digital information.
The message left behind on the AIIMs servers — sent via ProtonMail, an end-to-end encrypted email service — was the only link that the Delhi Police as yet have of the alleged hackers, sources told ThePrint. ProtonMail uses client-side encryption to protect email content and user data before they are sent to ProtonMail servers, unlike other email providers such as Gmail or Outlook.
Although several angles are being probed to identify the perpetrators of the cyberattack, the probe till now has pointed at the involvement of a “foreign actor”, said sources in Delhi police.
“We are still at the preliminary stage of the investigation, but we suspect the involvement of a foreign actor who may be behind this cyberattack. To trace the channel from where the virus came and identify the malware, we have sent the images of the affected servers for a forensic analysis. This will help us identify where the virus came from, and through which link and system it was installed in the server, which is crucial for the investigation,” a senior police officer said.
On 23 November, the AIIMS server, which stored data of patients for over a decade, came under a major cyberattack. It crippled the seamless system of online registrations for patients’ appointments, uploading and accessing lab reports, and coordinating between multiple departments of the hospital.
Though an FIR under Section 385 (extortion) of the Indian Penal Code and relevant sections of IT Act was registered, it is still unclear who targeted the AIIMS servers.
In October 2020, Mumbai’s electrical infrastructure had come under a cyberattack, allegedly with an intent to disrupt the power supply. Former Maharashtra energy minister, Nitin Raut, had claimed there was “intrusion of malware from China, UK and other places into the power grid system”.
A report by a cyber security company based in Massachusetts had also noted a “steep rise” in the use of malware by a Chinese group called Red Echo to target India’s power sector organisations in 2020, when tensions between the two countries were high.
Also read: 40% of Indian firms lost $50k-$100k to fraud, economic crime during peak Covid, says PwC report
‘Espionage, ransomware, LockBit’
Delhi police are working on several angles — from a case of espionage, to ransomware, or someone just trying to “send a message across and prove a point, by disrupting the entire system” in the AIIMS case, ThePrint has learnt.
Ransomware is a type of malware that encrypts a computer, system or server. This means that the system users are unable to access any information or data since all files are encrypted. The attackers then demand a ransom to unlock the information and data, usually in cryptocurrency. In addition to encrypting files and demanding money, the attackers may also steal data and threaten to misuse it in case their demands are not met.
Speaking to ThePrint a cyber expert, said it is unlikely for it to be a ransomware attack, despite the ProtonMail that was sent, as the hackers did not leave behind any secure communication channel to negotiate a ransom.
“An email is generally not used by competent hackers, who prefer a pre-placed secure messaging system or a third-party negotiator. In this in so many days, no such ransom has been sought. Moreover, why would a government medical institute be held for ransom?” the expert said.
According to a digital forensics expert familiar with the case, the absence of communication by the hackers was perplexing, suggesting that profit might not have been their only motive. “Typically, ransomware attackers will try to put pressure on their victim by leaking some amount of sensitive data, in the hope of creating pressure. That does not seem to be happening, at least yet,” said the expert.
Speaking about this being a case of possible espionage, the expert added, “An intelligence service would typically maintain surveillance, not crash the system. If they hack into a system, they would do it for information and not to disable a server and corrupt the data.
A senior official at the National Cyber Coordination Centre told ThePrint that some features of the attack suggested the malware inserted into the AIIMS networks — including the ransom note — resembled a malware known as LockBit, which has been used in ransomware attacks globally.
LockBit ransomware is a software which is designed to block user access to computer systems in exchange for payments, usually made in crypto. This software automatically vets for valuable targets, spreads the infection and encrypts all accessible computer systems or even a network.
“This allows the malware to self-spread using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves, potentially speeding up the time it takes them to deploy the ransomware and encrypt targets,” a second cyber expert explained.
LockBit attackers have threatened organisations globally by disrupting their operations, extorting money and also by stealing relevant data and then blackmailing them threatening to release the same, the expert explained.
“Looking at how quickly the virus spread and crippled the system at AIIMS, it appears that LockBit was used here. More, however, will become clear once the malware is identified,” the expert said. “What is clear, however, is that AIIMS did not have a robust ecosystem and thus it is a wake-up call for having a strong cyber security strategy,” the second expert said.
‘NSCS had warned of threat’
Earlier this year, officials at the National Security Council Secretariat had conducted a simulation exercise, together with the Defence Research and Development Organisation (DRDO) and the Data Security Council of India, to build preparedness for cyber-attacks. More than 140 government officials, sources present at the exercise in April said, had discussed various scenarios, including disaster resilience in the face of cyber-attacks.
Standard procedures for defending against cyber-attack include regular updates of operating systems and anti-virus software, as well as the maintenance of off-line backups of critical data, senior officials said.
Those practices were discussed at the simulation, the sources said, but AIIMS had so far declined to discuss its information-security practices.
Interestingly, documents available with ThePrint show several officials at the AIIMS computer cell were using non-official email addresses, adding an additional layer of vulnerability to the network.
(Edited by Poulomi Banerjee)
Also read: Mewat is India’s latest Jamtara. And sextortion is the new kill